Hello, I'm trying to set up sTunnel to use client certificates in the following arrangement: Client Java Server (HTTP) --> sTunnel (HTTPS w/client cert) --> Windows IIS SOAP service, requires client cert The client certificate was generated from a MS CA cert generation tool, one we use for our internal certificates and our internal CA. The client cert was generated as a .pfx file and I used OpenSSL to convert it to a .pem file with the -nodes option. Testing without the client certificates shows that if the IIS hosted SOAP service is set to not require a client certificate, the sTunnel configuration works and we're able to communicate between the HTTP only client and the HTTPS IIS hosted service. However, once we add the certificate, the communication stops at the handshake. I'm wondering if I need to change the client .pem cert to have the private key (don't use the -nodes option when converting using OpenSSL). Here is the contents of the .conf file: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = user_cert.pem key = user_cert.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = c:\temp\stunnel.log ; Use it for client mode client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 [http] accept = 8090 connect = 10.12.32.164:443 TIMEOUTclose = 0 ; vim:ft=dosini Here is the output from the log file showing two attempts to hit the service with the client cert, one from a browser and one from a bit of client code: 2010.03.19 09:58:27 LOG5[5864:4032]: Reading configuration from file stunnel.conf 2010.03.19 09:58:27 LOG7[5864:4032]: RAND_status claims sufficient entropy for the PRNG 2010.03.19 09:58:27 LOG7[5864:4032]: PRNG seeded successfully 2010.03.19 09:58:27 LOG7[5864:4032]: Certificate: user_cert.pem 2010.03.19 09:58:27 LOG7[5864:4032]: Certificate loaded 2010.03.19 09:58:27 LOG7[5864:4032]: Key file: user_cert.pem 2010.03.19 09:58:27 LOG7[5864:4032]: Private key loaded 2010.03.19 09:58:27 LOG7[5864:4032]: SSL context initialized for service http 2010.03.19 09:58:27 LOG5[5864:4032]: Configuration successful 2010.03.19 09:58:27 LOG5[5864:4032]: No limit detected for the number of clients 2010.03.19 09:58:27 LOG7[5864:4032]: FD=176 in non-blocking mode 2010.03.19 09:58:27 LOG7[5864:4032]: Option SO_REUSEADDR set on accept socket 2010.03.19 09:58:27 LOG7[5864:4032]: Service http bound to 0.0.0.0:8090 2010.03.19 09:58:27 LOG7[5864:4032]: Service http opened FD=176 2010.03.19 09:58:27 LOG5[5864:4032]: stunnel 4.31 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009 2010.03.19 09:58:27 LOG5[5864:4032]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2010.03.19 09:59:42 LOG7[5864:3864]: Service http accepted FD=440 from 127.0.0.1:49886 2010.03.19 09:59:42 LOG7[5864:3864]: Creating a new thread 2010.03.19 09:59:42 LOG7[5864:3864]: New thread created 2010.03.19 09:59:42 LOG7[5864:4328]: Service http started 2010.03.19 09:59:42 LOG7[5864:4328]: FD=440 in non-blocking mode 2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on local socket 2010.03.19 09:59:42 LOG5[5864:4328]: Service http accepted connection from 127.0.0.1:49886 2010.03.19 09:59:42 LOG7[5864:4328]: FD=460 in non-blocking mode 2010.03.19 09:59:42 LOG6[5864:4328]: connect_blocking: connecting 10.12.32.164:443 2010.03.19 09:59:42 LOG7[5864:4328]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds 2010.03.19 09:59:42 LOG5[5864:4328]: connect_blocking: connected 10.12.32.164:443 2010.03.19 09:59:42 LOG5[5864:4328]: Service http connected remote server from 10.12.47.109:49887 2010.03.19 09:59:42 LOG7[5864:4328]: Remote FD=460 initialized 2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on remote socket 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): before/connect initialization 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client hello A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server hello A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server certificate A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server done A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client key exchange A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write change cipher spec A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write finished A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 flush data 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read finished A 2010.03.19 09:59:42 LOG7[5864:4328]: 1 items in the session cache 2010.03.19 09:59:42 LOG7[5864:4328]: 1 client connects (SSL_connect()) 2010.03.19 09:59:42 LOG7[5864:4328]: 1 client connects that finished 2010.03.19 09:59:42 LOG7[5864:4328]: 0 client renegotiations requested 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server connects (SSL_accept()) 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server connects that finished 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server renegotiations requested 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache hits 2010.03.19 09:59:42 LOG7[5864:4328]: 0 external session cache hits 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache misses 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache timeouts 2010.03.19 09:59:42 LOG6[5864:4328]: SSL connected: new session negotiated 2010.03.19 09:59:42 LOG6[5864:4328]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2010.03.19 10:01:54 LOG3[5864:4328]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054) 2010.03.19 10:01:54 LOG5[5864:4328]: Connection reset: 568 bytes sent to SSL, 0 bytes sent to socket 2010.03.19 10:01:54 LOG7[5864:4328]: Service http finished (0 left) 2010.03.19 10:03:28 LOG7[5864:3864]: Service http accepted FD=476 from 127.0.0.1:50155 2010.03.19 10:03:28 LOG7[5864:3864]: Creating a new thread 2010.03.19 10:03:28 LOG7[5864:3864]: New thread created 2010.03.19 10:03:28 LOG7[5864:1216]: Service http started 2010.03.19 10:03:28 LOG7[5864:1216]: FD=476 in non-blocking mode 2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on local socket 2010.03.19 10:03:28 LOG5[5864:1216]: Service http accepted connection from 127.0.0.1:50155 2010.03.19 10:03:28 LOG7[5864:1216]: FD=440 in non-blocking mode 2010.03.19 10:03:28 LOG6[5864:1216]: connect_blocking: connecting 10.12.32.164:443 2010.03.19 10:03:28 LOG7[5864:1216]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds 2010.03.19 10:03:28 LOG5[5864:1216]: connect_blocking: connected 10.12.32.164:443 2010.03.19 10:03:28 LOG5[5864:1216]: Service http connected remote server from 10.12.47.109:50156 2010.03.19 10:03:28 LOG7[5864:1216]: Remote FD=440 initialized 2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on remote socket 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): before/connect initialization 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write client hello A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read server hello A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read finished A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write change cipher spec A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write finished A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 flush data 2010.03.19 10:03:28 LOG7[5864:1216]: 1 items in the session cache 2010.03.19 10:03:28 LOG7[5864:1216]: 2 client connects (SSL_connect()) 2010.03.19 10:03:28 LOG7[5864:1216]: 2 client connects that finished 2010.03.19 10:03:28 LOG7[5864:1216]: 0 client renegotiations requested 2010.03.19 10:03:28 LOG7[5864:1216]: 0 server connects (SSL_accept()) 2010.03.19 10:03:28 LOG7[5864:1216]: 0 server connects that finished 2010.03.19 10:03:29 LOG7[5864:1216]: 0 server renegotiations requested 2010.03.19 10:03:29 LOG7[5864:1216]: 1 session cache hits 2010.03.19 10:03:29 LOG7[5864:1216]: 0 external session cache hits 2010.03.19 10:03:29 LOG7[5864:1216]: 0 session cache misses 2010.03.19 10:03:29 LOG7[5864:1216]: 0 session cache timeouts 2010.03.19 10:03:29 LOG6[5864:1216]: SSL connected: previous session reused 2010.03.19 10:04:28 LOG7[5864:1216]: Socket closed on read 2010.03.19 10:04:28 LOG7[5864:1216]: SSL write shutdown 2010.03.19 10:04:28 LOG7[5864:1216]: SSL alert (write): warning: close notify 2010.03.19 10:04:28 LOG6[5864:1216]: SSL_shutdown successfully sent close_notify 2010.03.19 10:04:28 LOG6[5864:1216]: s_poll_wait timeout: connection close 2010.03.19 10:04:28 LOG5[5864:1216]: Connection closed: 1541 bytes sent to SSL, 25 bytes sent to socket 2010.03.19 10:04:28 LOG7[5864:1216]: Service http finished (0 left) Any hints would be appreciated!